Hackers’ Target access came via the heating/AC guys

Right now, someone is writing a thriller screenplay whose working title is “Target.” Or at least they should be, given the latest report that the hackers of that retail giant got network credentials from a HVAC subcontractor working at the store chain.

In a posting Wednesday on his Krebs on Security blog, cybersecurity journalist and ex-Washington Post reporter Brian Krebs cited “sources close to the investigation” for his report that network log-on credentials have been traced to a Pennsylvania-based provider of heating, refrigeration, and air conditioning. The attack on the Target stores, which Krebs originally made public, resulted in the theft of data from 40 million credit/debit cards used during the holidays, and personal data on as many as 70 million customers.

Ross Fazio, the president of Fazio Mechanical Services, confirmed to Krebs that the U.S. Secret Service paid a visit to his offices, but the company declined to offer any details. On its website, Fazio cites work it has done on Target stores in Hilliard, Ohio, and Columbia, Md., in addition to such other chains as Trader Joe’s, Whole Foods, Giant Eagle, and BJ’s Wholesale Club. Target has only said that the credentials were stolen from a third-party vendor.

‘Targeted attack’

Krebs notes that payment-card industry standards do not require separate networks for financial and nonfinancial operations, so it’s possible that log-on credentials to monitor energy consumption or mechanical processes could also have been valid to directly or indirectly enter Target’s point-of-sale systems.

This latest twist is another verification that the theft was conducted by a sophisticated, highly organized professional operation. Krebs also noted that the attackers utilized a nearly two-week period around Thanksgiving to upload their malware to some Target cash registers in order to beta test it. They even used some compromised computers in the U.S. and Brazil to temporarily store the stolen data until the criminal ring could reportedly transfer it. The crooks are reportedly in Eastern Europe and Russia.

“It was definitely a targeted attack,” Peter Firstbrook, a security analyst with industry research firm Gartner, told VentureBeat with pun intended. He added that, as the story deepens, it reinforces “something I’ve been predicting, which is that there is and will be a lot more physical espionage involved with computer crimes.”

For example, Firstbrook said, “the easiest way to get around a firewall is to physically get into the building.” Exhibit A, he noted, is former NSA contractor Edward Snowden.

In other news that the fast-typing screenwriter may or may not use, the Target CFO said this week that the company is investing in chip-based credit card technology, which is considered more secure than the magnetic striped ones still commonly found in the U.S.